Grid Security

Introduction

Currently, one of the main security problems within grid environments is lack of mechanisms for defining
and implementing grid security policies. It results mainly from the general complexity of securing
open network environments. However, it is also meaningful that grid technologies are relatively new and
solutions to many core problems have not been found yet. Therefore, as the general field of grid security lacks
sufficient standards or often even specifications, any security service, in order to be applicable in practice,
must be able to cooperate with various solutions. Additionally there should exist a possibility of using this service
with solutions and standards that are not available today. In order to solve this problem an appropriate authorization
service has to be introduce. The main research effort in the Security Workpackage is focused on development of flexible,
manageable and robust authorization service called Grid(Lab) Authorization Service
called GAS and introduce it to the GridLab technologies and testbed.

See GAS placement on the GridLab architecture below:

GAS overview

The main goal of GAS is to provide functionality that would be able to fulfill most authorization requirements
of grid computing environments. GAS is designed as a trusted single logical point for defining security
policy for complex grid infrastructures. As the flexibility is a key requirement, it is to be able to implement
various security scenarios, based on push or pull models, simultaneously.

Secondly, GAS is considered as independent of specific technologies used at lower layers,
and it should be fully useable in environments based on Globus (supporting compatibility scenario with CAS)
as well as other toolkits. The high level of flexibility is achieved mainly through modular design of GAS.
It is divided into five logical components, with the main GAS core module (Core Functionality) responsible for performing
authorization decisions based upon defined security policy, which is maintained as a set of permissions
for specific subjects (e.g. user) and objects (e.g. resource).

The general GAS architecture:

The remaining components are responsible for: managing security policy (Management Components), communication between
users/applications/services and GAS (Communication Components), integration with a database system where policy
information are stored (Database with Policy Security), interaction with other security solutions such authentication services.
(Integration with Security Solutions)

GAS key features

Designed in order to fulfill specific requirements of grid-based computing environment,

Trusted single logical point for managing security policy for virtual organization,

Independent on specific technologies applied to build a grid infrastructure,

Support for different scenarios of using GAS, with possibility to apply them simultaneously within single virtual organization.